ISREDIT MACRO       /* CARM0527 VIEW USERLIST report  */
 
/* 01/23/2006 JL Nelson Created to perform USERID checks.
/* 01/24/2006 JL Nelson Ignore IBM supplied USERIDs.
/* 01/27/2006 JL Nelson RACF0580 look for TSO segments only.
/* 03/13/2006 JL Nelson Set/test RCode for critical ISREDIT commands.
/* 07/09/2007 CL Fenton Changed output from multi to single lines.
/* 09/12/2007 CL Fenton Changed RACF0710, RACF0720, and RACF0730 from
/*            Manual Review to Documentable within VMS.
/* 02/28/2009 CL Fenton Added bypass of userid and tsoid when userid
/*            is blank.
/* 09/02/2009 CL Fenton Chgs made on allowing passdate of 00.000 and
/*            reporting name gt 9999999999 in other words hi values.
/* 04/07/2010 CL Fenton Chgs record format to all for PASS-INTERVAL.
/* 08/31/2010 CL Fenton Added Dialog data set to remove authorized
/*            users from PDI member created in this process.  Also
/*            made changes for with positions to search.
/* 04/07/2010 CL Fenton Chgs field entry for attributes and groups.
/* 09/19/2011 CL Fenton Chgs in password interval to allow for 254 days
/*            CSD-AR002561268.
/* 09/19/2011 CL Fenton Chgs processing of connect group entries on users,
/*            CSD-AR003000316.
/* 06/28/2012 CL Fenton Chgs to RACF0710 and RACF0720 to bypass user
/*            connected to non SYS groups per vul check specs.
/* 09/18/2012 CL Fenton Corrected multiple errors on USR containing
/*            special characters (+, -, *, and /).
/* 05/22/2013 CL Fenton Added FTPUSERS for RACF0580 and removed 254 day
/*            for FTP users to remove conflict between RACF0580 and
/*            RACF0440, STS-000796.  Also added the removal of EMERAUDT
/*            for RACF0580.
/* 03/07/2014 CL Fenton Removed TSOPROC requirement from RACF0580, STS-004646.
/* 06/02/2014 CL Fenton Added exclusion of users with FTP in name for
/*            RACF0580, STS-005560.
/* 09/20/2016 CL Fenton Changed all references of IAO to ISSO.
/* 05/22/2018 CL Fenton Added "Not Reviewed" to RACF0710, RACF0720,
/*            and RACF0730 for vuls that require additional analysis
/*            and reduced what groups are dropped for check,
/*            STS-019713.
/* 02/19/2020 CL Fenton Added PHRASEDATE for evaluation, STS-023663.
 
SET PGMNAME = &STR(CARM0527 02/19/20)
 
NGLOBAL PGMNAME RETURN_CODE PDIID PDIMBR ZERRSM DIALOG DSNAME
 
SET SYSPROMPT = OFF                /* CONTROL NOPROMPT          */
SET SYSFLUSH  = OFF                /* CONTROL NOFLUSH           */
SET SYSASIS   = ON                 /* CONTROL ASIS - caps off   */
 
ISPEXEC CONTROL ERRORS RETURN
 
/* ERROR ROUTINE */
ERROR DO
  SET RETURN_CODE = &LASTCC          /* SAVE LAST ERROR CODE */
  IF &LASTCC GE 16 THEN +
    WRITE &PGMNAME LASTCC = &LASTCC &ZERRLM
  RETURN
  END
 
/* *************************************** */
/* VARIABLES ARE PASSED TO THIS MACRO      */
/* CONSLIST                                */
/* COMLIST                                 */
/* SYMLIST                                 */
/* TERMMSGS                                */
/* *************************************** */
 
SET RETURN_CODE = 0
 
ISPEXEC VGET ( +
  CONSLIST     +
  COMLIST      +
  SYMLIST      +
  TERMMSGS     +
  PDIID        +
  DIALOG       +
  TYPERUN      +
  ) ASIS
 
SET RM527VG  = &RETURN_CODE
IF &RETURN_CODE NE 0 THEN DO
  WRITE &PGMNAME VGET RC = &RETURN_CODE  &ZERRSM
  WRITE &PGMNAME CONSLIST/&CONSLIST COMLIST/&COMLIST SYMLIST/&SYMLIST +
    TERMMSGS/&TERMMSGS
  WRITE &PGMNAME PDIID/&PDIID +
    TYPERUN/&TYPERUN
  SET RETURN_CODE = &RETURN_CODE + 16
  GOTO ERR_EXIT
  END
 
/* *************************************** */
/* TURN ON MESSAGES                        */
/* *************************************** */
 
SET SYSSYMLIST = &SYMLIST          /* CONTROL SYMLIST/NOSYMLIST */
SET SYSCONLIST = &CONSLIST         /* CONTROL CONLIST/NOCONLIST */
SET SYSLIST    = &COMLIST          /* CONTROL LIST/NOLIST       */
SET SYSMSG     = &TERMMSGS         /* CONTROL MSG/NOMSG         */
 
ISREDIT (MBRNAME)  = MEMBER
ISREDIT (DSNAME)   = DATASET
ISREDIT (LASTLINE) = LINENUM .ZLAST
ISREDIT (DW) = DATA_WIDTH
 
SET BLANK = &STR( )
SET LP = &STR((
SET RP = )
SET CC = 32
 
SET PDIMBR = RACF0570
SET RACF0570 = 0
SET CURLINE = 0
 
/* *************************************** */
/* READ LOOP                               */
/* *************************************** */
 
NEXT_USERID: +
SET RETURN_CODE = 0
SET CURLINE = &CURLINE + 1
 
IF &CURLINE GT &LASTLINE THEN GOTO END_USERID
 
ISREDIT (DATA) = LINE &CURLINE
 
SET USERID  = &SUBSTR(01:08,&NRSTR(&DATA))
 
SELECT &STR(&USERID)
  WHEN (irrcerta) GOTO NEXT_USERID
  WHEN (irrmulti) GOTO NEXT_USERID
  WHEN (irrsitec) GOTO NEXT_USERID
  WHEN (        ) GOTO NEXT_USERID
  END
 
SET NAME    = &SUBSTR(10:31,&NRSTR(&DATA))
SET DFTGRP  = &SUBSTR(94:101,&NRSTR(&DATA))
SET OWNER   = &SUBSTR(33:40,&NRSTR(&DATA))
SET PASSDATE = &SUBSTR(42:47,&NRSTR(&DATA))
SET PWPDATE = &SUBSTR(49:54,&NRSTR(&DATA))
 
SET CNT     = &CNT + 1
 
SET ERROR   = 0
IF &STR(&NAME)   EQ &STR( ) OR +
   &STR(&NAME)   GT &STR(9999999999) OR +
   &STR(&NAME)   EQ &STR(UNKNOWN ) THEN SET ERROR = &ERROR + 1
IF &STR(&DFTGRP) EQ &STR( ) OR +
   &STR(&DFTGRP) EQ &STR(NONE ) THEN SET ERROR = &ERROR + 1
IF &STR(&OWNER)  EQ &STR( ) OR +
   &STR(&OWNER)  EQ &STR(NONE ) THEN SET ERROR = &ERROR + 1
 
IF &SYSINDEX(&STR( APROTECTED ),&NRSTR(&DATA)) GT 90 AND +
  &ERROR EQ 0 THEN GOTO NEXT_USERID
 
/*IF &STR(&PASSDATE) EQ &STR(N/A  ) THEN +
/*  SET ERROR = &ERROR + 1
/*IF &STR(&PASSDATE) EQ &STR(N/A  ) OR +
/*   &STR(&PASSDATE) EQ &STR(00.000 ) THEN SET ERROR = &ERROR + 1
IF &STR(&PASSDATE) EQ &STR(N/A  ) AND +
   &STR(&PWPDATE) EQ &STR(N/A  ) THEN +
  SET ERROR = &ERROR + 1
 
IF &ERROR EQ 0 THEN GOTO NEXT_USERID
 
IF &RACF0570 EQ 0 THEN DO
  SET AC = &STR(The following userid&LP.s&RP does &LP.do&RP not +
    have the required field&LP.s&RP completed.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SET RACF0570 = &RACF0570 + 1
 
SET AC = &STR(     &USERID NAME=&NAME OWNER=&OWNER +
  DEFAULT-GROUP=&DFTGRP)
 
IF &SYSINDEX(&STR( APROTECTED ),&NRSTR(&DATA)) EQ 0 THEN +
  SET AC = &STR(&AC PASSDATE=&PASSDATE)
 
ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
  DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
GOTO NEXT_USERID
 
 
END_USERID: +
SET RETURN_CODE = 0
 
IF &RACF0570 EQ 0 THEN DO
  SET AC = &STR(Not a Finding )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(All userid&LP.s&RP contain the required fields.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
      DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
ELSE DO
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(DISA recommendation: All userid records must have +
    the users name, the owner, a default group, and the password +
    fields defined.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SYSCALL ADD_MEMBER
 
SET PDIMBR = RACF0580
SET RACF0580 = 0
SET CURLINE = 0
 
SET GROUP = &STR(EMERAUDT FTPUSERS)
 
SET A = 1
DO WHILE &A LT &LENGTH(&STR(&GROUP))
  SET B = &SYSINDEX(&STR( ),&STR(&GROUP ),&A) - 1
  SET ATTR = &SUBSTR(&A:&B,&STR(&GROUP))
  SYSCALL DIALOG_RTN &ATTR
  SET A = &B + 2
  END
 
ISREDIT EXCLUDE ALL "FTP" 10 32
 
ISREDIT CURSOR = 1 0
 
/* *************************************** */
/* READ LOOP                               */
/* *************************************** */
 
NEXT_TSOID: +
SET RETURN_CODE = 0
SET CURLINE = &CURLINE + 1
 
IF &CURLINE GT &LASTLINE THEN GOTO END_TSOID
 
ISREDIT (DATA) = LINE &CURLINE
 
SET USERID  = &SUBSTR(01:08,&NRSTR(&DATA))
 
SELECT &STR(&USERID)
  WHEN (irrcerta) GOTO NEXT_TSOID
  WHEN (irrmulti) GOTO NEXT_TSOID
  WHEN (irrsitec) GOTO NEXT_TSOID
  WHEN (        ) GOTO NEXT_TSOID
  END
 
ISREDIT (XSTAT) = XSTATUS &CURLINE
 
SET NAME    = &SUBSTR(10:31,&NRSTR(&DATA))
SET TSOPROC = &SUBSTR(76:83,&NRSTR(&DATA))
SET PASSINT = &SUBSTR(56:58,&NRSTR(&DATA))
SET LASTACC = &SUBSTR(60:74,&NRSTR(&DATA))
 
IF &SYSINDEX(&STR( APROTECTED ),&STR(&DATA)) GT 90 THEN +
  GOTO NEXT_TSOID
IF &SYSINDEX(&STR( AREVOKED ),&STR(&DATA)) GT 90 THEN +
  SET REV = &STR(REVOKED)
ELSE +
  SET REV = &STR(       )
 
SET ERROR   = 0
/*IF &STR(&TSOPROC) EQ &STR( ) OR +
/*   &STR(&TSOPROC) EQ &STR(NONE ) THEN SET ERROR = &ERROR + 1
IF &STR(&XSTAT) EQ &STR(NX) THEN +
  IF &STR(&PASSINT) EQ &STR( ) OR +
     &STR(&PASSINT) EQ &STR(N/A) THEN SET ERROR = &ERROR + 1
  ELSE +
    IF &PASSINT EQ 0 OR +
       &PASSINT GT 60 THEN SET ERROR = &ERROR + 1
IF &STR(&LASTACC) EQ &STR( ) OR +
   &STR(&LASTACC) EQ &STR(UNKNOWN ) THEN SET ERROR = &ERROR + 1
 
IF &ERROR EQ 0 THEN GOTO NEXT_TSOID
 
IF &RACF0580 EQ 0 THEN DO
  SET AC = &STR(The following interactive userid&LP.s&RP does +
    &LP.do&RP not have the required field&LP.s&RP completed.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SET RACF0580 = &RACF0580 + 1
 
SET AC = &STR(     &USERID NAME=&NAME +
  LAST-ACCESS=&LASTACC +
  PASS-INTERVAL=&PASSINT &REV)
 
ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
  DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
GOTO NEXT_TSOID
 
 
END_TSOID: +
SET RETURN_CODE = 0
 
IF &RACF0580 EQ 0 THEN DO
  SET AC = &STR(Not a Finding )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(All interactive userid&LP.s&RP contain +
    the required fields.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
ELSE DO
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(DISA recommendation: All interactive userid +
    records must have the users name, TSO account number, and the +
    password fields defined.)
  SET AC = &STR(DISA recommendation: All interactive userid +
    records must have a password interval of 1 to 60 and an +
    appropriate password date.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(Note: Use "ALTUSER userid RESUME" to set the +
    LAST-ACCESS to the current date and time.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SYSCALL ADD_MEMBER
 
 
SET PDIMBR = RACF0710
SET RACF0710 = 0
SET ATTRB = SPECIAL
SET GROUP = &STR(EMERAUDT SECAAUDT SECBAUDT SECDAUDT)
SET GROUP = &STR(EMERAUDT SECAAUDT SECBAUDT)
SET GROUP = &STR(SECAAUDT)
 
SET A = 1
DO WHILE &A LT &LENGTH(&STR(&GROUP))
  SET B = &SYSINDEX(&STR( ),&STR(&GROUP ),&A) - 1
  SET ATTR = &SUBSTR(&A:&B,&STR(&GROUP))
  SYSCALL DIALOG_RTN &ATTR
  SET A = &B + 2
  END
 
ISREDIT CURSOR = 1 0
 
NEXT_SPECIAL: +
SET RETURN_CODE = 0
 
ISREDIT SEEK '&ATTRB ' &CC &DW
 
IF &RETURN_CODE NE 0 THEN GOTO END_SPECIAL
 
ISREDIT (,POS) = CURSOR
 
ISREDIT (STAT) = XSTATUS .ZCSR
 
ISREDIT (DATA) = LINE .ZCSR
 
IF &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(A) AND +
   &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(G) THEN GOTO NEXT_SPECIAL
IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR(A) AND +
   &NRSTR(&STAT) EQ &STR(X) THEN GOTO NEXT_SPECIAL
/* Use below to exclude all security user in GROUP */
IF &NRSTR(&STAT) EQ &STR(X) THEN GOTO NEXT_SPECIAL
IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR( ) THEN +
   GOTO NEXT_SPECIAL
 
SET GRPNM =
IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR(G) THEN DO
  DO X = &POS-3 TO &CC BY - 1 +
    UNTIL &SUBSTR(&X:&X+6,&NRSTR(&DATA)) EQ &STR( GROUP=)
    END
  SET Y = &SYSINDEX(&STR( ),&NRSTR(&DATA),&X+1)
  SET GRPNM = &SUBSTR(&X+7:&POS-3,&NRSTR(&DATA))
  SET GRPNM = &SUBSTR(&X+7:&Y-1,&NRSTR(&DATA))
  ISPEXEC LMDINIT LISTID(TSTDSN) LEVEL(&GRPNM)
  SET RETURN_CODE = 0
  ISPEXEC LMDLIST LISTID(&TSTDSN)
  SET LMDLIST_RC = &RETURN_CODE
  ISPEXEC LMDFREE LISTID(&TSTDSN)
  IF &LMDLIST_RC GT 0 THEN GOTO NEXT_SPECIAL
  IF &SYSINDEX(&STR(SYS),&NRSTR(&GRPNM)) EQ 1 AND +
     &NRSTR(&STAT) EQ &STR(X) THEN GOTO NEXT_SPECIAL
  /* Add below to allow SPECIAL when GRPNM not a SYStem prefix. */
  IF &SYSINDEX(&STR(SYS),&NRSTR(&GRPNM)) NE 1 THEN GOTO NEXT_SPECIAL
  END
 
SET USERID  = &SUBSTR(01:08,&NRSTR(&DATA))
SET NAME    = &SUBSTR(10:31,&NRSTR(&DATA))
 
IF &RACF0710 EQ 0 THEN DO
  SET AC = &STR(Not Reviewed)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(The following authorization&LP.s&RP to the &ATTRB +
    attribute is &LP.are&RP inappropriate:)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(1&RP The number of userids granted the &ATTRB +
    attribute is excessive.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(2&RP Justification for authorization was not +
    provided.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SET RACF0710 = &RACF0710 + 1
 
IF &NRSTR(&GRPNM) EQ &STR( ) THEN +
  SET AC = &STR(     &USERID NAME=&NAME ATTRIBUTE=&ATTRB )
ELSE +
  SET AC = &STR(     &USERID NAME=&NAME GROUP=&GRPNM +
    CONNECT ATTRIBUTE=&ATTRB )
ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
  DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
GOTO NEXT_SPECIAL
 
 
END_SPECIAL: +
SET RETURN_CODE = 0
 
IF &RACF0710 EQ 0 THEN DO
  SET AC = &STR(Not a Finding )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(No userids were found with attribute of &ATTRB.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
      DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
ELSE DO
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(DISA recommendation: Ensure documentation +
    providing justification for access is maintained and filed +
    with the ISSO, and that unjustified access is removed.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SYSCALL ADD_MEMBER
 
 
SET PDIMBR = RACF0720
SET RACF0720 = 0
SET ATTRB = OPERATIONS
 
SET GROUP = &STR(EMERAUDT DASDAUDT)
SET GROUP = &STR(DASDAUDT)
 
SET A = 1
DO WHILE &A LT &LENGTH(&STR(&GROUP))
  SET B = &SYSINDEX(&STR( ),&STR(&GROUP ),&A) - 1
  SET ATTR = &SUBSTR(&A:&B,&STR(&GROUP))
  SYSCALL DIALOG_RTN &ATTR
  SET A = &B + 2
  END
 
ISREDIT CURSOR = 1 0
 
NEXT_OPER: +
SET RETURN_CODE = 0
 
ISREDIT FIND '&ATTRB ' &CC &DW NX
 
IF &RETURN_CODE NE 0 THEN GOTO END_OPER
 
ISREDIT (,POS) = CURSOR
 
ISREDIT (DATA) = LINE .ZCSR
 
IF &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(A) AND +
   &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(G) THEN +
   GOTO NEXT_OPER
 
SET GRPNM =
IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR(G) THEN DO
  DO X = &POS-3 TO &CC BY - 1 +
    UNTIL &SUBSTR(&X:&X+6,&NRSTR(&DATA)) EQ &STR( GROUP=)
    END
  SET Y = &SYSINDEX(&STR( ),&NRSTR(&DATA),&X+1)
  SET GRPNM = &SUBSTR(&X+7:&POS-3,&NRSTR(&DATA))
  SET GRPNM = &SUBSTR(&X+7:&Y-1,&NRSTR(&DATA))
  /* Add below to allow OPERATIONS when GRPNM not a SYStem prefix. */
  IF &SYSINDEX(&STR(SYS),&NRSTR(&GRPNM)) NE 1 THEN GOTO NEXT_OPER
  END
 
SET USERID  = &SUBSTR(01:08,&NRSTR(&DATA))
SET NAME    = &SUBSTR(10:31,&NRSTR(&DATA))
 
IF &RACF0720 EQ 0 THEN DO
  SET AC = &STR(Not Reviewed)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(The following authorization&LP.s&RP to the &ATTRB +
    attribute is &LP.are&RP inappropriate:)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(1&RP The number of userids granted the &ATTRB +
    attribute is excessive.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(2&RP Justification for authorization was not +
    provided.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SET RACF0720 = &RACF0720 + 1
 
IF &NRSTR(&GRPNM) EQ &STR( ) THEN +
  SET AC = &STR(     &USERID NAME=&NAME ATTRIBUTE=&ATTRB )
ELSE +
  SET AC = &STR(     &USERID NAME=&NAME GROUP=&GRPNM +
    CONNECT ATTRIBUTE=&ATTRB )
ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
  DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
GOTO NEXT_OPER
 
 
END_OPER: +
SET RETURN_CODE = 0
 
IF &RACF0720 EQ 0 THEN DO
  SET AC = &STR(Not a Finding )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(No userids were found with attribute of &ATTRB.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
      DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
ELSE DO
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(DISA recommendation: Ensure documentation +
    providing justification for access is maintained and filed +
    with the ISSO, and that unjustified access is removed.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SYSCALL ADD_MEMBER
 
 
SET PDIMBR = RACF0730
SET RACF0730 = 0
SET ATTRB = AUDITOR
 
SET GROUP = &STR(AUDTAUDT EMERAUDT SECAAUDT SECBAUDT SECDAUDT)
SET GROUP = &STR(AUDTAUDT SECAAUDT)
 
SET A = 1
DO WHILE &A LT &LENGTH(&STR(&GROUP))
  SET B = &SYSINDEX(&STR( ),&STR(&GROUP ),&A) - 1
  SET ATTR = &SUBSTR(&A:&B,&STR(&GROUP))
  SYSCALL DIALOG_RTN &ATTR
  SET A = &B + 2
  END
 
ISREDIT CURSOR = 1 0
 
NEXT_AUDIT: +
SET RETURN_CODE = 0
 
ISREDIT FIND '&ATTRB ' &CC &DW NX
 
IF &RETURN_CODE NE 0 THEN GOTO END_AUDIT
 
ISREDIT (,POS) = CURSOR
 
ISREDIT (DATA) = LINE .ZCSR
 
IF &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(A) AND +
   &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(G) THEN GOTO NEXT_AUDIT
 
SET GRPNM =
IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR(G) THEN DO
  DO X = &POS-3 TO &CC BY - 1 +
    UNTIL &SUBSTR(&X:&X+6,&NRSTR(&DATA)) EQ &STR( GROUP=)
    END
  SET Y = &SYSINDEX(&STR( ),&NRSTR(&DATA),&X+1)
  SET GRPNM = &SUBSTR(&X+7:&POS-3,&NRSTR(&DATA))
  SET GRPNM = &SUBSTR(&X+7:&Y-1,&NRSTR(&DATA))
  END
 
SET USERID  = &SUBSTR(01:08,&NRSTR(&DATA))
SET NAME    = &SUBSTR(10:31,&NRSTR(&DATA))
 
IF &RACF0730 EQ 0 THEN DO
  SET AC = &STR(Not Reviewed)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(The following authorization&LP.s&RP to the +
    &ATTRB attribute is &LP.are&RP inappropriate:)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(1&RP The number of userids granted the &ATTRB +
    attribute is excessive.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR(2&RP Justification for authorization was not +
    provided.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SET RACF0730 = &RACF0730 + 1
 
IF &NRSTR(&GRPNM) EQ &STR( ) THEN +
  SET AC = &STR(     &USERID NAME=&NAME ATTRIBUTE=&ATTRB )
ELSE +
  SET AC = &STR(     &USERID NAME=&NAME GROUP=&GRPNM +
    CONNECT ATTRIBUTE=&ATTRB )
ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
  DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
GOTO NEXT_AUDIT
 
 
END_AUDIT: +
SET RETURN_CODE = 0
 
IF &RACF0730 EQ 0 THEN DO
  SET AC = &STR(Not a Finding )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(No userids were found with attribute of &ATTRB.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
      DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
ELSE DO
  SET AC = &STR( )
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
 
  SET AC = &STR(DISA recommendation: Ensure documentation +
    providing justification for access is maintained and filed +
    with the ISSO, and that unjustified access is removed.)
  ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) +
    DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR)
  END
 
SYSCALL ADD_MEMBER
 
 
/* *************************************** */
/* END of program                          */
/* *************************************** */
 
 
END_EXIT: +
SET RETURN_CODE = 0
 
ERR_EXIT: +
IF &MAXCC GE 16 OR +
   &RETURN_CODE GT 0 THEN DO
  ISPEXEC VGET (ZISPFRC) SHARED
  IF &MAXCC GT &ZISPFRC THEN +
    SET ZISPFRC = &MAXCC
  ELSE +
    SET ZISPFRC = &RETURN_CODE
  ISPEXEC VPUT (ZISPFRC) SHARED
  WRITE &PGMNAME ZISPFRC = &ZISPFRC
  END
 
SET RM527RC = &RETURN_CODE
 
ISPEXEC VPUT ( +
  RM527VG      +
  RM527RC      +
  ) ASIS
 
ISREDIT CANCEL
 
EXIT CODE(0)
 
 
/* *************************************** */
/*  SYSCALL SUBROUTINES                    */
/* *************************************** */
 
DIALOG_RTN: PROC 1 AUMBR
 
SET RETURN_CODE = 0
 
ISPEXEC LMMFIND DATAID(&DIALOG) MEMBER(&AUMBR)
 
SET LMMFIND_DIALOG_RC = &RETURN_CODE
IF &RETURN_CODE NE 0 THEN DO
  WRITE &PGMNAME Authorized user list &AUMBR not found.
  RETURN
  END
 
GET_NEXT_USR: +
SET RETURN_CODE = 0
 
ISPEXEC LMGET DATAID(&DIALOG) MODE(INVAR) DATALOC(URECORD) +
  MAXLEN(80) DATALEN(LRECL)
 
SET LMGET_DIALOG_RC = &RETURN_CODE
IF &RETURN_CODE EQ 8 THEN DO           /* END OF MEMBER */
   SET LMGET_DIALOG_RC = 0             /* SET RETURN CODE TO 0 */
   RETURN
   END
IF &RETURN_CODE GT 4 THEN DO
  WRITE &PGMNAME LMGET  DIALOG  RC = &RETURN_CODE  &ZERRSM
  SET RETURN_CODE = &RETURN_CODE + 16
  RETURN
  END
 
IF &SUBSTR(1,&NRSTR(&URECORD)) EQ &STR(*) OR   +
   &SUBSTR(1,&NRSTR(&URECORD)) EQ &STR( ) THEN +
  GOTO GET_NEXT_USR
 
SET USR = &SUBSTR(1:8,&NRSTR(&URECORD))
 
ISREDIT EXCLUDE ALL '&NRSTR(&USR)' 1
 
GOTO GET_NEXT_USR
 
/*  ---------------   */
 
END
 
 
ADD_MEMBER: PROC 0
 
SET ZEDSMSG = FINISHED
SET ZEDLMSG = &STR(Finished processing &PDIMBR.)
ISPEXEC LOG MSG(ISRZ000)
 
SET RETURN_CODE = 0
 
ISPEXEC LMMADD DATAID(&PDIID) MEMBER(&PDIMBR)
 
IF &RETURN_CODE EQ 4 THEN DO          /* MEMBER ALREADY EXISTS
  SET RETURN_CODE = 0
 
  ISPEXEC LMMREP DATAID(&PDIID) MEMBER(&PDIMBR)
 
  IF &RETURN_CODE NE 0 THEN DO
    WRITE &PGMNAME LMMREP_PDI_RCODE = &RETURN_CODE &PDIMBR  &ZERRSM
    END
  END
ELSE DO
  IF &RETURN_CODE NE 0 THEN +
    WRITE &PGMNAME LMMADD_PDI_RCODE = &RETURN_CODE &PDIMBR  &ZERRSM
  END
 
ISREDIT RESET
ISREDIT DELETE ALL NX
SET RETURN_CODE = 0
ISREDIT COPY '&DSNAME' AFTER .ZF
 
END
